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(57) Abstract 



A computer system and method is provided for authenticating the identity of an authorised person. The basic concept is 
that a permitted user of an identification article such as a credit card will be given a personal identification number with the card 
and will be instructed not to use the personal identification number in the form in which it has been given but only to use delib- 
erately corrupted versions thereof. The computer system is then set up to detect whether the personal identification number of- 
fered for use is a properly corrupted version of the original personal identification number. 
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AUTHENTICATING THE IDENTITY OF AN 



AUTHORISED PERSON 



The present invention relates to authenticating the identity 
of an authorised person in connection, for example, with the 
use of identification articles such as credit cards and the 
like, and identification information such as computer 
passwords and the like. 

Currently identification articles such as credit cards and 
the like are offered for use carrying the signature of a 
permitted user. When a transaction is to be accomplished 
the user offers the card and signs a transaction voucher. 
The salesperson or clerk compares the signature on the 
transaction voucher with the signature on the card and the 
transaction is authenticated on that basis. However, 
signatures are reasonably easy to forge and it is common 
practice for a thief to steal a person's credit card and to 
familiarise themselves with the signature so that when they 
are called upon to use the card they can forge the 
signature. Furthermore, credit cards are often used to 
purchase goods by telephone where there is no requirement 
for authorisation other than the billing address for the 
card. Credit card fraud of this nature costs the industry a 
substantial amount of money each year and is a severe 
problem. Measures which are currently implemented to 
inhibit credit card fraud have not had any real impact on 
the cost to the industry, which continues to rise. 

Another type of identification article which is used is a 
card which has data stored on a magnetic stripe carried by 
the card which data can be read by a machine. These cards 
are used to obtain money from cash dispensing machines by 
inserting the card into the machine so that the data on the 
magnetic stripe is read by the machine and then inputting 
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a personal identification number (PIN) using a keyboard of 
the machine. If the personal identification number 
corresponds to that which has been stored in association 
with the particular data read from the card, the transaction 
is authenticated and money is produced. This type of card 
can also be used in other sales transactions in addition to 
cash dispensing machines. 

With such cards, a thief can watch a person using the card 
to determine the personal identification number and he can 
then steal the card and use that personal identification 
number to gain access to the card owner ' s funds . This 
facility has also inhibited more extensive use of personal 
identification numbers, for example to authenticate the use 
of ordinary credit cards at a point of sale. A thief could 
easily hear the personal identification number being given 
and then steal the credit card and use the number on a 
subsequent occasion. it is also possible for a thief to 
obtain from a cash dispensing machine a list of personal 
identification numbers which have been used in the machine. 

An example of identification information is a password for 
gaining access to data in a computer. Such passwords are 
vunerable to interception and fraudulent use. 

The present invention seeks to provide a solution to the 
severe difficulties associated with card and other fraud. 

According to ' the present invention there is provided a 
computer system for authenticating the identity of an 
authorised person, the computer system comprising: 

compare means operable to receive a first code 
comprising a plurality of characters in sequential positions 
identifying the authorised person and a second code 
comprising a plurality of characters in sequential positions 
obtained from an actual user and to compare the character of 
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the first code with the characters of the second code to 
determine whether the second code is a corrupted version of 
the first code according to a predetermined corruption 
algorithm; and 

output means for producing an authentication signal if 



the first and second codes differ according to the 
predetermined corruption algorithm. 

A method of authenticating an authorised person is also 
provided. 

In one embodiment, the compare means compares each character 
of the second code with the character in the corresponding 
position of the first code to determine identity between the 
codes in all but a predetermined number of the character 
positions; and > 
the output means produces an authentication signal if ^ 
the characters of the first and second codes differ at only f 
said predetermined number of the character positions or an > 4: 

invalid signal in other cases. 

Preferably, the predetermined number is one - this makes the 

invention simple to implement yet effective against fraud. ~* 

Thus, according to a first embodiment of the present 
invention there is provided a computer system for 
authenticating the identity of an authorised person the 
computer system comprising: 

compare means for receiving a first code comprising a 
plurality of characters in sequential positions identifying 
the authorised person and a second code comprising a 
plurality of characters in sequential positions obtained 
from an actual user and for comparing each character of the 
second code with the character in the corresponding position 
of the first code to determine identiy between the codes in 
all but one of the character positions; and 
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output means for producing an authentication signal if 
the characters of the first and second codes differ at only 
one of the character positions or an invalid signal in other 
cases. 

The first embodiment also provides a method of 
authenticating an authorised person comprising the steps of: 

receiving a first code comprising a plurality of 
characters in sequential positions identifying the 
authorised person; 

receiving a second code comprising a plurality of 
characters in sequential positions obtained from an actual 
user; 

comparing the characters of the second code with the 
characters in corresponding positions of the first code to 
determine identity between the codes in all but one of the 
character positions; and 

producing an authentication signal if the characters of 
the first and second codes match in all but one of their 
character positions or an invalid signal in other cases. 

In a second embodiment, the second code has more character 
positions than the first code and the compare means compares 
the characters of the second code with the characters of the 
first code to determine whether the second code contains a 
sequence of characters in the same order as the sequence in 
the first code. The output means produces an authentication 
signal if the second code contains a sequence of characters 
corresponding to that in the first code or an invalid signal 
in other cases. 

In the second embodiment, the computer system can be 
arranged to authenticate the second code whether or not the 
sequential characters in the second code have different 
relative character positions. 
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The compare means can then be operable to compare each 
character of the second code with the character in the 
corresponding position of the first code and, in the case of 
a mismatch, compare the next character of the second code 
with the just compared character of the first code. 



In one simple yet effective implementation, the second code 
has just one more character than the first code so that once 
a mismatch has been found, no other mismatches are tolerated 
in the remaining characters. 

The second embodiment also provides a method of 
authenticating an authorised person comprising the steps of: 

receiving a first code comprising a plurality of 
characters in sequential positions identifying the 
authorised person; 

receiving a second code comprising a plurality of 
characters in sequential positions obtained from an actual 
user, the second code having more characters than the firsft 
code ; 

comparing the characters of the second code with the 
characters of the first code to determine whether the second 
code contains a sequence of characters in the same order as 
the sequence in the first code; and 

producing an authentication signal if the second code 
contains a sequence of characters corresponding to that in 
the first code or an invalid signal in other cases. 

The second code can be obtained from a user in a variety of 

different ways. He can enter it himself via a keypad or 

other input device, or he can supply it verbally to an 

operator to enter into a computer system via a keypad or 
other input device. 
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Alternatively , the computer system can be arranged to 
display a plurality of character sequences to a user, only 
one of which has been coded according to the predetermined 
corruption algorithm, and the user is asked to select from 
this plurality by depressing a key or in some other way. 

These systems are particularly appropriate for 
authenticating the user of an identification article when 
the article is offered for use in a transaction. They also 
provide an effective resistance to hackers attempting to 
seek unauthorised access to a computer system. 

The concept underlying the present invention for one of its 
applications is that a permitted user of an identification 
article such as a credit card will be given a personal 
identification number with the card and will be instructed 
not to use the personal identification number in the form in 
which it has been given but only to use deliberately 
corrupted versions thereof. More specifically, in the first 
embodiment, a user will be instructed to deliberately alter 
one character in his personal identification number before 
he uses it. In the second embodiment, he will be instructed 
to deliberately add one character into his personal 
identification number before he uses it. The computer 
system is set up to recognise such deliberately corrupted 
versions of the personal identification number as authentic 
versions thereof. 

Preferably, once one version of the personal identification 
number has been used this version is stored in the computer 
system and subsequent attempts to use that version within a 
predetermined time period result in an invalid signal being 
produced. This has a big advantage in deterring would-be 
credit card thieves since they would know that even if they 
perceived or heard a personal identification number being 
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given when the credit card was used they would not be able* 
to use that same number but would have to guess the correct 
personal identification number so that they could produce a 
different corrupted version of it* This presents would-be 
thieves with a serious difficulty because when the first 
version of the personal identification number is given they 
are not able to ascertain from that which digit has been 
altered or added so it is a matter of guess work for them to 
establish what the correct personal identification number 
was. An attempt to use an incorrect version of a personal 
identification number with an authentication article would 
naturally cause security measures to be implemented with a 
high probability of the thief being apprehended if a 
fraudulent use was attempted . 

In the preferred implementation of the first embodiment, the 
computer system is set up to determine when all but one of 
the characters in the respective positions match. It can 
operate to ignore the excepted character once a match in all 
other characters has been obtained, in which case the system 
will recognise the correct personal identification number in 
addition to authentic versions thereof. To prevent the 
correct number from being accepted as authentic, this can be 
added to the list of stored numbers which have been used. 
As an alternative, the computer system can determine not 
only that there is match in all but one of the computer 
positions but that there is a mismatch in the excepted 
character. 

In the preferred implementation of the second embodiment, 
the computer system is set up to determine when all of the 
characters in the second code match characters in respective 
sequential positions in the first code. It can operate to 
ignore a mismatch in one character position provided that 
there is a match in all other characters in the correct 
sequence. 
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Preferably the computer system comprises first input means 
for receiving data derived from the identification article 
itself and storage means for storing a first code in 
association with the data derived from the identification 
article. The first input means can for example be a 



keyboard or a magnetic stripe reader. The computer system 
is preferably also provided with second input means by which 
an operator can input the second code offered by the actual 
user of the identification article. 

In a further preferred arrangement,, there can be stored with 
data to be derived from the identification article not only 
an appropriate first code but also other user data 
associated with the permitted user such as his address, 
telephone number r age, date of birth etc. With this 
arrangement, if an invalid version of the personal 
identification number is given an operator will be 
instructed to ask further questions about the permitted user 
of the card which a thief could not answer. Already at this 
stage the level of security has increased substantially 
acting as a significant deterrent to a would-be thief. 

For a better understanding of the present invention and to 
show how the same may be carried into effect reference will 
now be made by way of example to the accompanying drawings 
in which: — 

Figure 1 is a diagram of a computer system for 
implementing an authentication method; 

Figure 2 is a flow chart illustrating an authentication 
method of the first embodiment; and 

Figure 3 is a flow chart illustrating an authentication 
method of the second embodiment. 



The authentication method will firstly be described in 
general terms to explain the basic concept. 
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A retailer requests a credit card and a personals 
identification number from the person presenting the credit 
card. The person presenting the credit card has been 
advised of his personal identification number and has been 
instructed to offer it in a deliberately corrupted form, for 
example with one digit deliberately changed to another value 
or with an extra digit added. Thus, as one example of the 
first embodiment, if his personal identification number is 
1234 he will tell the retailer 2234 or 1254 for example. As 
one example of the second embodiment, for the same personal 
identification number 1234 he will tell the retailer 12534 
or 13234 for example. The retailer enters details from the 
credit card into a computer system either manually or by 
passing the card through a magnetic stripe reader and this 
provides to the computer system the correct personal 
identification number associated with that card. 

The retailer then enters the version of the personal 
identification number offered by the customer into the 
computer system and awaits an authentication or invalid 
signal. Alternatively, the customer enters the number 
himself. If the version of the personal identification 
number which has been offered differs from the correct 
personal identification number according to a predetermined 
corruption algorithm and if that version of the personal 
identification number has not already been used within a 
predetermined time period the computer system will indicate 
that the user is authenticated. 

In other circumstances the computer system will produce a 
transaction invalid signal and this will prompt the retailer 
to ask further questions of the customer concerning personal 
details relating to the permitted user of the card. 

Reference is now made to Figure 1 to describe the computer 
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system. The computer system comprises an input device 1 
which includes a magnetic stripe reader 2 for reading data 
from a credit card and a keyboard 4 comprising a plurality 
of numbered keys 6 by means of which a personal 
identification number can be entered. The input device 1 is 
connected to a controller 8 which has access to a memory 
10. In the memory 10 there is stored a databank having a 
plurality of files, each file being identifiable by data 
derived from the credit card and containing permitted user 
data including a personal identification number and 
additional user data such as the permitted user's address , 
telephone number, age, date of birth etc. The computer 
system includes a comparator 12 for receiving the user's 
personal identification number from the memory 10. The 
comparator 12 also receives via the controller 8 the 
identification number which is entered using the keys 6 of 
the input means. These are identified respectively by PIN 1 
and PIN 2 in Figure 1. The comparator produces an output 
signal which is either transaction authenticated or 
transaction invalid according to the results of the 
comparison of PIN 1 and PIN 2. 

Reference will now be made to Figure 2 to illustrate how the 
computer system operates in the first embodiment. In step 
20 data is derived from a credit card offered for use via 
the magnetic stripe reader 2 and is passed to the controller 
8 to cause the PIN (PIN 1) associated with the permitted 
user of that credit card to be located. In the 
circumstances that the credit card itself is rejected as 
being invalid (due to credit data or as a result of having 
already been reported stolen) or if information concerning 
that card is not found in the memory 10 the transaction is 
rejected. At step 21, the length of the PIN (PIN 2) offered 
by the user is compared with the authentic PIN (PIN 1) and 
if the number of characters is not the same the transaction 
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is rejected. If the number is the same, the method proceeds 
to step 22. At step 22 the count of mismatched characters 
is initialised to 0. At step 24 the character position is 
initialised to 1, that is the first character of the stored 
personal identification number is compared with the first 
character of the personal identification number offered by 
the user of the credit card. If the characters are the same 
the method proceeds by checking the next character position 
to see whether there are further characters. The next 
character of the stored personal identification number is 
then compared with the next character of the offered 
personal identification number. In each case if the 
characters are the same the checking loop 25 moves directly 
to check the next character and, if the characters are 
different, at step 26 one is added to the count of 
mismatched characters before the next character is checked. 

When there are no more characters to be checked the stored 
count of mismatched characters is examined. If this count 
is not equal to the allowed number, e.g. if there is more 
than the allowed number of mismatched characters, the 
transaction is rejected. If the count of mismatched 
characters equals the allowed number the computer system 
then checks to see whether or not that version of the 
personal identification number has already been used within 
a predetermined time period. If it has the transaction is 
rejected. If it has not this version of the personal 
identification number is added to the store of already used 
personal identification numbers and the transaction is 
accepted. Preferably the allowed number of mismatched 
characters is one. 

In an alternative embodiment, the checking loop operates 
differently. Once step 21 has been carried out to verify 
the length of the PIN 2, the characters of each PIN are 
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compared in their corresponding positions to determine 
whether there are at least n-1 matches where n is the number 
of characters in each PIN. In this arrangement , the 
authentic PIN 1 itself would be validated but this could be 
rejected at the next stage by having it stored with the 
previously used PIN 2's for comparison. 

Reference will now be made to Figure 3 to illustrate how the 
computer system operates according to the second 
embodiment. In step 20 data is derived from a credit card 
offered for use via the magnetic stripe reader 2 and is 
passed to the controller 8 to cause the PIN (PIN1) 
associated with the permitted user of that credit card to be 
located. In the circumstances that the credit card itself 
is rejected as being invalid (due to credit data or as a 
result of having already been reported stolen) or if 
information concerning that card is not found in the memory 
10 the transaction is rejected. At step 21 , the length of 
the authentic PIN (PIN1) is subtracted from the PIN (PIN2) 
offered by the user and at step 22 the result is compared 
with the allowed number of characters by which PIN2 can 
exceed PIN1. If the number of characters is not the same 
the transaction is rejected. If the number is the same, the 
method proceeds to step 23. At step 23 the comparison 
position is set to the first character of PIN1 and at 23a to 
the first character of PIN2. At step 24 the first character 
of the stored personal identification number is compared 
with the character in the first character position of the 
personal identification number offered by the user of the 
credit card. If the characters are the same the method 
proceeds by checking at step 25 the next character position 
to see whether there are further character positions in PIN1 
to be checked. If there are, the next character of the 
stored personal identification number is then compared at 
steps 26a and 26b with the character in the next position of 
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the offered personal identification number PIN2. In each 
case if the characters are the same the checking loop 30 
moves directly to check the next character until there are 
no further character positions in PIN2 to be checked. If at 
step 24 the characters are not the same, the next • character 
position of PIN2 is compared with the first character of 
PIN1. If there is a match, the method proceeds around the 
checking loop 30. If there is a mismatch and if there are 
no further character positions in PIN2 to check, the 
transaction is rejected. 

The checking loop 3 0 proceeds until the equality following 
the comparison step 25 is satisfied and provided that the 
transaction has not been rejected as a result of mismatch in 
a character. If a sequence of characters has been located 
in the second code (PIN2) corresponding to the first, code 
(PIN1) the computer system then checks at step 28 to see 
whether or not that version of the personal identification 
number has already been used within a predetermined time 
period. If it has the transaction is rejected. If .it has 
not this version of the personal identification number is 
added to the store of already used personal identification 
numbers at step 29 and the transaction is accepted. 

By operating the computer system to authenticate only 
deliberately corrupted versions of a personal identification 
number there is a far greater deterrent to a would-be thief 
since he would not be able to tell from a corrupted version 
what the correct personal identification number is. 
Moreover, if an attempt was made to use the corrupted 
version which had just been given the transaction would be 
rejected and security measure implemented. 



It will be appreciated that the identification information 
can take any convenient form and in particular can be an 
alphanumeric string. 
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CLAIMS : 

1. A computer system for authenticating the identity of an 
authorised person, the computer system comprising: 

compare means operable to receive a first code 
comprising a plurality of characters in sequential positions 
identifying the authorised person and- a second code 
comprising a plurality of characters in sequential positions 
obtained from an actual user and to compare the character of 
the first code with the characters of the second code to 
determine whether the second code is a corrupted version of 
the first code according to a predetermined corruption 
algorithm ; and 

output means for producing an authentication signal if 
the first and second codes differ according to the 
predetermined corruption algorithm. 

2. A computer system according to claim 1 wherein the 
compare means is operable to compare each character of the 
second code with the character in the corresponding position 
of the first code to determine identity between the codes in 
all but a predetermined number of character positions; and 

the output means is operable to produce an 
authentication signal if the characters of the first and 
second codes differ at only said predetermined number of the 
character positions or an invalid signal in other cases. 

3 . A computer system according to claim 2 wherein the 
predetermined number is one. 

4 . A computer system according to claim 1 wherein the 
second code has more character positions than the first code 
and the compare means compares the characters of the second 
code with the characters of the first code to determine 
whether the second code contains a sequence of characters in 
the same order as the sequence in the first code, the output 
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means being operable to produce an authentication signal if 
the second code contains a sequence of characters 
corresponding to that in the first code or an invalid signal 
in other cases. 

5. A computer system according to claim 4 which is 
arranged to authenticate the second code whether or not the 
sequential characters in the second code have different 
relative character positions. 

6. A computer system according to claim 5 wherein the 
compare means is operable to compare each character of the 
second code with the character in the corresponding position 
of the first code and, in the case of a mismatch, compare 
the next character of the second code with the just compared 
character of the first code. 

7. A computer system according to any preceding claim 
which comprises first input means for receiving data derived 
from an identification article and storage means for storing 
a first code in association with the data derived from the 
identification article. 



8. A computer system according to claim 7 wherein the 
first input means comprises a keyboard. 

9. A computer system according to claim 7 wherein the 
first input means comprises a magnetic stripe reader. 

10. A computer system according to any of claims 7 to 9 
which is provided with second input means by which the 
second code offered by the actual user of the identification 
article can be input. 

11. A computer system according to claim 7 which is 
arranged to generate a plurality of character sequences 
responsive to the first code, only one of which represents a 
properly corrupted version of the first code so that a user 
can select from said plurality. 
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12. A computer system according to claim 7 wherein the 
storage means is also used to store with data to be derived 
from the identification article not only a first code but 
also other user data associated with the authorised user. 

13. A method of authenticating an authorised person 
comprising the steps of: 

receiving a first code comprising a plurality of 
characters in sequential positions identifying the 
authorised person; 

receiving a second code comprising a plurality of 
characters in sequential positions obtained from an actual 
user; 

comparing the characters of the first code with the 
characters of the second code to determine whether the 
second code is a corrupted version of the first code 
according to a predetermined corruption algorithm; and 

producing an authentication signal if the first and 
second codes differ according to the predetermined 
corruption algorithm. 

14. A method according to claim 13 wherein the characters 
of the second code are compared with the characters in the 
corresponding positions of the first code to determine 
identity between the codes in all but one of the character 
positions and wherein the authentication signal is produced 
if the characters of the first and second codes match in all 
but one of the character positions. 

15. A method according to claim 13 wherein the characters 
of the second code are compared with the characters of the 
first code to determine whether the second code contains a 
sequence of characters in the same order as the sequence in 
the first code, the second code having more characters than 
the first code, and wherein the authentication signal is 
produced if the second code contains a sequence of 
characters corresponding to that in the first code. 
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16. A computer system for authenticating the identity of an 
authorised person substantially as hereinbefore described 
with reference to or as shown in Figure 1 of the drawings, 

17. A method of authenticating the identify of an 
authorised person substantially as hereinbefore described 
with reference to the accompanying drawings. 
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